urlscan.io logo urlscan.io
SecurityTrails logo

worksites.baxter.com Open in urlscan Pro
13.107.139.11  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
URL: https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5D...
Submission: On January 31 via manual from BE — Scanned from DE
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 1 IPs in 1 countries across 1 domains to perform 4 HTTP transactions. The main IP is 13.107.139.11, located in Redmond, United States and belongs to MICROSOFT-CORP-MSN-AS-BLOCK, US. The main domain is worksites.baxter.com.
TLS certificate: Issued by Entrust Certification Authority - L1K on November 11th 2022. Valid for: a year.
This is the only time worksites.baxter.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Office 365 (Online)

Domain & IP information

IP Address AS Autonomous System
4 13.107.139.11 8068 (MICROSOFT...)
4 1
Apex Domain
Subdomains		 Transfer
4 baxter.com
worksites.baxter.com
12 KB
4 1
Domain Requested by
4 worksites.baxter.com worksites.baxter.com
4 1

This site contains links to these domains. Also see Links.

Domain
myapps.microsoft.com
signup.live.com
go.microsoft.com
Subject Issuer Validity Valid
worksites.baxter.com
Entrust Certification Authority - L1K		 2022-11-11 -
2023-11-11		 a year crt.sh

This page contains 1 frames:

Primary Page: https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5DACC2457F8%7D
Frame ID: F6BB769A321FCFAC007A9B3F96E2F3FE
Requests: 4 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page Title

Willkommen bei SharePoint Online

Detected technologies

Overall confidence: 100%
Detected patterns
  • \.aspx?(?:$|\?)

Page Statistics

4
Requests

100 %
HTTPS

0 %
IPv6

1
Domains

1
Subdomains

1
IPs

1
Countries

12 kB
Transfer

13 kB
Size

0
Cookies

Redirected requests

There were HTTP redirect chains for the following requests:

4 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
Primary Request acceptinvite.aspx
worksites.baxter.com/sites/ocp_portal/_layouts/15/ 		5 KB
4 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5DACC2457F8%7D
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
13.107.139.11 Redmond, United States, ASN8068 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/ ASP.NET
Resource Hash
db9cc9c12e38305328a7a4de59b9489a1b3e580dd1f08efa28815d9d6abff715
Security Headers
Name Value
Content-Security-Policy frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;
Strict-Transport-Security max-age=31536000
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.119 Safari/537.36
accept-language
de-DE,de;q=0.9

Response headers

cache-control
private
content-encoding
gzip
content-length
2663
content-security-policy
frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;
content-type
text/html; charset=utf-8
date
Tue, 31 Jan 2023 09:20:14 GMT
microsoftsharepointteamservices
16.0.0.23311
ms-cv
oJGU1VcgADBAu0vY9GkpAw.0
nel
{"report_to":"network-errors","max_age":7200,"success_fraction":0.001,"failure_fraction":1.0}
p3p
CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
report-to
{"group":"network-errors","max_age":7200,"endpoints":[{"url":"https://spo.nel.measure.office.net/api/report?tenantId=c8c6dd35-871f-4f30-85ac-6535f3982514&destinationEndpoint=Edge-Prod-LON21r5d&frontEnd=AFD"}]}
request-id
d59491a0-2057-3000-40bb-4bd8f4692903
spiislatency
1
sprequestduration
94
sprequestguid
d59491a0-2057-3000-40bb-4bd8f4692903
strict-transport-security
max-age=31536000
vary
Accept-Encoding
x-1dscollectorurl
https://mobile.events.data.microsoft.com/OneCollector/1.0/
x-ariacollectorurl
https://browser.pipe.aria.microsoft.com/Collector/3.0/
x-aspnet-version
4.0.30319
x-cache
CONFIG_NOCACHE
x-content-type-options
nosniff
x-databoundary
NONE
x-frame-options
SAMEORIGIN
x-ms-invokeapp
1; RequireReadOnly
x-msedge-ref
Ref A: E57ED2BD09614E6B88EECBC7E8711781 Ref B: LON21EDGE0317 Ref C: 2023-01-31T09:20:15Z
x-networkstatistics
0,525568,0,131,4655686,0,525568
x-powered-by
ASP.NET
x-sharepointhealthscore
0
O365BrandSuite.png
worksites.baxter.com/_layouts/15/images/ 		2 KB
2 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://worksites.baxter.com/_layouts/15/images/O365BrandSuite.png?rev=47
Requested by
Host: worksites.baxter.com
URL: https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5DACC2457F8%7D
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
13.107.139.11 Redmond, United States, ASN8068 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/ ASP.NET
Resource Hash
80ee541df476d7a3a5e2cd242233b2c089189af831cc62d8f0b1778d8075eba1
Security Headers
Name Value
X-Content-Type-Options nosniff

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5DACC2457F8%7D
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.119 Safari/537.36

Response headers

date
Tue, 31 Jan 2023 09:20:15 GMT
x-content-type-options
nosniff
x-powered-by
ASP.NET
x-cache
CONFIG_NOCACHE
p3p
CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
content-length
2122
microsoftsharepointteamservices
16.0.0.23311
x-ms-invokeapp
1; RequireReadOnly
sprequestduration
4
last-modified
Wed, 25 Jan 2023 03:35:59 GMT
x-msedge-ref
Ref A: CF5ADA90991546559B1884CB593C3CCB Ref B: LON21EDGE0317 Ref C: 2023-01-31T09:20:15Z
etag
"8079d7236e30d91:0"
content-type
image/png
cache-control
max-age=31536000
accept-ranges
bytes
spiislatency
0
WindowsLiveHotmail.png
worksites.baxter.com/_layouts/15/images/ 		3 KB
3 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://worksites.baxter.com/_layouts/15/images/WindowsLiveHotmail.png
Requested by
Host: worksites.baxter.com
URL: https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5DACC2457F8%7D
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
13.107.139.11 Redmond, United States, ASN8068 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/ ASP.NET
Resource Hash
da7b1e7c0e95a9caba46be191f562268cee236556f67e4b10f2b3a05785b9cad
Security Headers
Name Value
X-Content-Type-Options nosniff

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5DACC2457F8%7D
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.119 Safari/537.36

Response headers

date
Tue, 31 Jan 2023 09:20:15 GMT
x-content-type-options
nosniff
x-powered-by
ASP.NET
x-cache
CONFIG_NOCACHE
p3p
CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
content-length
2955
microsoftsharepointteamservices
16.0.0.23311
x-ms-invokeapp
1; RequireReadOnly
sprequestduration
4
last-modified
Wed, 25 Jan 2023 03:35:43 GMT
x-msedge-ref
Ref A: CA3CBE43A0F94802810366B1132F759E Ref B: LON21EDGE0317 Ref C: 2023-01-31T09:20:15Z
etag
"80114e1a6e30d91:0"
content-type
image/png
cache-control
max-age=31536000
accept-ranges
bytes
spiislatency
0
MicrosoftOnlineServiceID.png
worksites.baxter.com/_layouts/15/images/ 		2 KB
3 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://worksites.baxter.com/_layouts/15/images/MicrosoftOnlineServiceID.png
Requested by
Host: worksites.baxter.com
URL: https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5DACC2457F8%7D
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
13.107.139.11 Redmond, United States, ASN8068 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software
/ ASP.NET
Resource Hash
989b447ae71af111ef417ac1c41b09e8f6a6c34ab4b222e78cfa2b0f3c935b11
Security Headers
Name Value
X-Content-Type-Options nosniff

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://worksites.baxter.com/sites/ocp_portal/_layouts/15/acceptinvite.aspx?invitation=%7B687543D5%2D45BE%2D42D2%2D8762%2DE5DACC2457F8%7D
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.119 Safari/537.36

Response headers

date
Tue, 31 Jan 2023 09:20:15 GMT
x-content-type-options
nosniff
x-powered-by
ASP.NET
x-cache
CONFIG_NOCACHE
p3p
CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
content-length
2521
microsoftsharepointteamservices
16.0.0.23311
x-ms-invokeapp
1; RequireReadOnly
sprequestduration
4
last-modified
Wed, 25 Jan 2023 03:35:43 GMT
x-msedge-ref
Ref A: D7E3E5FA481840229E55E50C0DAD6B94 Ref B: LON21EDGE0317 Ref C: 2023-01-31T09:20:15Z
etag
"80114e1a6e30d91:0"
content-type
image/png
cache-control
max-age=31536000
accept-ranges
bytes
spiislatency
0

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Office 365 (Online)

7 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| oncontentvisibilityautostatechange number| g_duration number| g_iisLatency number| g_cpuDuration number| g_queryCount number| g_queryDuration number| g_requireJSDone

0 Cookies

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header Value
Content-Security-Policy frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;
Strict-Transport-Security max-age=31536000
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN